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Abstract 

An extension of the WHILE-language is developed for programming 
game-theoretic mechanisms involving multiple agents. Examples of such 
mechanisms include auctions, voting procedures, and negotiation proto¬ 
cols. A structured operational semantics is provided in terms of extensive 
games of almost perfect information. Hoare-style partial correctness asser¬ 
tions are proposed to reason about the correctness of these mechanisms, 
where correctness is interpreted as the existence of a subgame-perfect 
equilibrium. Using an extensional approach to pre- and postconditions, 
we show that an extension of Hoare’s original calculus is sound and com¬ 
plete for reasoning about subgame-perfect equilibria in game-theoretic 
mechanisms. We use the calculus to verify some simple mechanisms like 
the Dutch auction. 


1 Introduction 

In recent years, games have become more prominent in different areas of com¬ 
puter science research. The reason for this seems to be the realisation that 
games form a natural generalisation of programs. This insight can be realised 
on a number of different levels (we shall only mention two): On a foundational 
level, games have been used to provide an alternative model of computation, 
the alternating Turing machine [3]. At a more abstract level, program logics 
like propositional dynamic logic have been extended to games [12]. 

From a game-theoretic perspective, much of this work is extremely narrow, 
since it mainly focuses on determined 2-player win/loss games of perfect infor¬ 
mation. On the other hand, game theory has developed a wealth of techniques 
to study more complicated situations where agents interact, involving more than 
two players, imperfect information, and preferences over outcomes which can¬ 
not be captured by simply distinguishing between winning and losing. Still, it 
has been suggested [13] that combining research in game theory and computer 
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science, we may be able to obtain a better understanding of social software, i.e., 
of the formal properties of the social processes we are involved in. The present 
paper tries to contribute to this aim. 

More concretely, we attempt to generalise techniques from formal program 
verification to games or game-theoretic mechanisms such as auctions, voting pro¬ 
cedures, etc. From a logical perspective, two approaches suggest themselves. On 
the one hand, one might extend model checking approaches [4], where one uses, 
for instance, temporal logic to specify properties of a system (program/game) 
and proceeds to verify these properties using model checking. This approach 
has been generalised to reason about coalitional power in games [14]. On the 
other hand, one can try to extend approaches based on theorem proving using 
a formal calculus in which one can derive certain properties of a system. This 
approach will be taken here. 

The axiomatic or compositional approach to program verihcation was intro¬ 
duced by Hoare [7] and Dijkstra [5], and provided the foundation stone for formal 
program verification [10, 1, 6 ]. In Hoare’s calculus, correctness assertions of the 
form {P}tt{Q} are used to express that program tt, when executed in a state 
satisfying P, will terminate in a state satisfying Q (provided it does terminate). 
In generalising the program verihcation approach to games, this paper makes 
two contributions: First, it dehnes a programming language which is a simple 
extension of the WHILE-language sufficient to program game-theoretic mecha¬ 
nisms. The syntax of this language is dehned in section 2, and section 3 provides 
a structured operational semantics in terms of extensive games of almost perfect 
information. Second, we are going to extend Hoare’s calculus to reason about 
the correctness of these mechanisms, where correctness is interpreted as the ex¬ 
istence of a subgame-perfect equilibrium with a certain payoff. In section 4, we 
dehne our new notion of correctness by providing a game-theoretic interpreta¬ 
tion of {P}tt{Q}, also linking it to the game-theoretic notion of implementation 
and mechanism design. Section 5 presents an extensional calculus for reasoning 
about mechanism correctness, and provides proofs of soundness and complete¬ 
ness. Finally, section 6 illustrates the calculus in the verihcation of a few simple 
mechanisms. 


2 Syntax of MPL 

Our mechanism programming language (MPL) is a simple extension of standard 
imperative programming languages; more concretely, our point of departure is 
the well-known WHILE-language (see e.g. [10]). We assume throughout that we 
are given a nonempty set of agents or players Ags, a set of mechanism variables 
MV, a set of function symbols Funs and a set of relation symbols Reis. Using 
these, we inductively dehne terms t, boolean expressions B and mechanisms (or 
game forms) 7 as follows: 
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t ■■= X I 

B := true \ ... ,tk) \ ~^B | i?i A i ?2 

7 := X := i I 7 i; 72 I if -B then 71 else 72 | while B do 7 | 

_ chA{{xa\a g A}) _ 

where a€Ags, f^GFuns is a /c-ary function symbol (in case A: = 0 we are dealing 
with constants), R^GRels a fc-ary relation symbol, x,XaGMV, and A C Ags is 
finite and nonempty. 

The last construct presents the only addition to the standard WHILE- 
language: ch^ lets agent a G A choose any value for the variable Xa- The agents 
in A are making their choice simultaneously, so in order to prevent conflicting 
assignments to variables, we require all the Xa to be distinct. One can think 
of the chyi construct as a strategic game among n agents, where the strategic 
choice of an agent is represented by the value of his/her variable. While the set 
of agents may be infinite, we require each ch^ construct to involve only finitely 
many agents. In the special case where l^j = 1, we have a simple nondeter- 
ministic choice. More concretely, in case agent 1 can choose between 2 different 
strategies, executing 71 vs. executing 72 , we can describe this situation as 

ch{ii,({xi}); if Xi = 0 then 71 else 72 , 

where we assume that the domain of computation is the set of natural numbers, 
for instance, and = S Reis and 0 G Funs. 

MPL is an extremely general programming language for a large variety of dif¬ 
ferent kinds of mechanisms. In section 4 we shall use it for defining mechanisms 
for different kinds of auctions. Voting procedures are further examples of mech¬ 
anisms which can be programmed using MPL. As an example, the well-known 
Borda-count procedure (see, e.g., [2]) can be programmed as follows: 

chAgs({xi,X 2 ,...,Xw}); 
i := 1; 

while i < K 6.0 Ci '.= Q',i '.= i + 1] 
a := 1 ; 

while a < N do 
i := 1 ; 

while i < K do 

Ci := Ci -I- Xa[i]; 

i := i + l] 
a := a + 1 


In this example, we assume that Ags = {1,2,. ..,V}, and that the agents have 
to choose among K candidates. First, each agent a can cast a ballot of the 
form Xa = {pi,p2, ■ ■ ■ ,Pk), where pi is the number of points the agent gives to 
candidate i. Ballots have to be rankings of candidates, i.e., the most preferred 
candidate must obtain K points, the next preferred candidate K — 1 points, 
etc., so that the least-preferred candidate obtains 1 point. Hence, we assume 
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implicitly that the domain of computation contains these possible ballots, and 
that the initial choice assigns a ballot to each Xa- (Note that since the domain of 
computation will also contain the natural numbers, we need to make sure that 
each Xa is assigned to an element of the appropriate ballot type, but we shall 
ignore this problem in order to keep the algorithm simple.) Once the ballots are 
cast, a is initialised to the first agent, and i to the first candidate. The variable 
Ci counts the number of points accumulated by candidate i, and is initialised 
to 0. The main part of the algorithm then simply sums up the points for each 
candidate, where Xa[i] refers to pi, in case Xa = (pi,p2, • ■ • ,Pk)- The winner of 
the vote will be the candidate accumulating the most points. 

A further example of a well-known mechanism which can be programmed in 
MPL is a version of Rubinstein’s negotiation protocol of alternating offers (see 
[ 11 , 8 ]). 

agree := false; 
optout := false; 
i := 1; 

while -^optout A ^agree do 

if i = 1 then ch|i}({a;})else ch|2}({x}); 
ifi = l then ch{2}({2/})else ch{i}({j/}); 
if y = 0 then agree := true 

else ±f y = 1 then optout := true else i := 3 — i 

For simplicity, we have assumed that there are only two agents who try to reach 
an agreement over, e.g., the price of a car which agent 1 wants to sell to agent 
2, and so we can assume the domain of computation to be simply the natural 
numbers. The negotiation procedure can end in an agreement concerning the 
price, one of the agents can opt out of the negotiation (in which case some 
predetermined event will occur), or the negotiation can go on forever. The 
protocol starts by agent 1 making a price offer x. Agent 2 responds by choosing 
y, where we interpret y = 0 as signalling agreement to the price offered, y = 1 as 
a decision to opt out of the negotiation, and any other value for y as signalling 
the desire to make a counteroffer, upon which we get another iteration of the 
loop with the roles reversed. 

The above negotiation protocol is very general, and numerous instances of 
it have been analysed game-theoretically [8]. We shall not go into this or the 
voting mechanism in more detail, since our main aim at this point is only to 
suggest the generality of the mechanism programming language defined. Section 
6 will provide a more detailed and more formal treatment of examples such as 
the ones given here. In the following section, we shall provide a formal semantics 
for this language in terms of games. Furthermore, we will subsequently provide 
a calculus for reasoning about the existence of game-theoretic equilibria in these 
mechanisms, and about the payoffs the agents obtain in equilibrium. 

Note that MPL only allows one to construct mechanisms with almost-perfect 
information, i.e., agents are perfectly informed about all the choices made ex¬ 
cept possibly for simultaneous moves. Different subclasses of MPL-mechanisms 
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correspond to various natural assumptions regarding the power of the mecha¬ 
nism designer and the agents in general. The class MPL(PRG) of programs is 
the class of MPL-mechanisms which do not contain any ch^ construct. With¬ 
out this construct, MPL is simply the WHILE-language. The class MPL(PI) 
of perfect-information mechanisms will restrict the use of ch^ to cases where 
|A| = 1, i.e., where all choices involve only a single agent. Perfect-information 
mechanisms allow different agents to make choices at different times, but all 
choices are public, there are no simultaneous moves. 


3 Structured Operational Semantics via Games 

The most detailed semantics we can provide for MPL expressions is a struc¬ 
tured operational semantics which specifies the configurations a mechanism can 
be in and the possible transitions between configurations. For programs, such 
a semantics gives rise to an execution sequence or trace, and in case of nonde- 
terministic programs to an execution tree. Since in the case of mechanisms we 
are dealing with multiple agents, we arrive at a game tree whose positions are 
the possible configurations of the mechanism. 

As is standard in first-order logic, we will work with an interpretation I 
which provides us with a domain Dx and functions and relations over Dx as 
interpretations for the symbols in Funs and Reis. Furthermore, we assume that 
besides the relations associated to symbols in Reis, our interpretation contains 
an additional binary >J-relation for every agent a £ Ags. The relation will 
be used to represent agent a’s preference over the elements of the domain. Note 
that mechanisms programmed in MPL cannot refer to these preferences, since 
>a^ Reis. 

The only requirements on 2 are that the preference relations >jc Dx x 
Dx satisfy the following properties: ( 1 ) must be a partial pre-order, i.e., 
a reflexive and transitive relation on Dx, and ( 2 ) there is a uniformly worst 
outcome (which we denote as —oo), i.e., there is some d £ Dx such that for all 
a £ Ags and x £ Dx we have x d. Usually, preference relations will be total 
orders, but our framework does not require this. The uniformly worst outcome 
is needed to deal with some infinite runs resulting from while-loops, it plays no 
substantive role in any of the examples considered. 

A state s : MV Dx is a function assigning a domain element to each 
mechanism variable. Let Sx be the set of all states over 2. In general, whenever 
the intended interpretation 2 is clear we shall tend to omit it. The following 
standard logical notation will be used: 2,s \= ip denotes that a first-order 
formula p whose variables are all in MV is true in 2 at state s. Similarly, we 
let = {s £ Sx\2,s \= p}. Again, when the intended interpretation is clear, 
we shall often simply write s \= p. 

Given interpretation 2 and an initial state sq, we shall interpret every mecha¬ 
nism 7 as a game form of almost-perfect information G( 7 , sq,2). Let Cfg denote 
the set of configurations, i.e., the set of all pairs ( 7 , s) where 7 is a mechanism 
or the empty mechanism A, and s is a state. We define a transition relation 
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—X Cfg for A C Ags such that c —> c states that the game can proceed 
from c to c' provided the agents A make some choice/move. In case the move 
does not require any agent to make a choice, we will have A = %. In the stan¬ 
dard way (see e.g. [ 10 ]), we define the ^ relations inductively as the smallest 
sets satisfying the following axioms and inference rules, the only novelty here 
being the definition for ch^i: 



where sf{y) = s{y) for y ^ x and s^{x) = the interpretation of t in Z at s. 

Let Cfg* be the set of all finite nonempty sequences of configurations cq, ci, 

■ ■. ,Cn such that Cj = (ji , Si) and 

( 70 , So) ^ ( 71 , Si) ^ ^ ( 7 „, s„), 

and let Cfg* be those sequences which end in a configuration c„ for which 
there is some configuration c„+i and set A C Ags such that c„ —> c„+i and 
a G A. Infinite configuration sequences as well as finite configuration sequences 
co,...,c„ for which there is no c„+i and A such that c„ —> c„+i are called 
terminal, and we denote the set of terminal sequences as Cfg*. 

The move relations give rise to the game tree or semi-game G( 7 , so,Z) which 
starts at the initial position/configuration ( 7 , sq). We interpret Cfg* as the 
set of (partial) histories of the game, where each agent a gets to move at the 
positions which are in Cfg*. Note that we talk of a tree, since we can think of 
possible loops as infinite branches. While we shall usually refer to G( 7 , so,Z) 
as a game (omitting the “semi”), note that a semi-game lacks a link between 
runs/histories and preferences, for although T does contain information about 
the players’ preferences over outcomes, the triple G does not have any mapping 
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between histories of the game and outcomes. Such a mapping d will be added 
shortly. 

A strategy for agent a in semi-game G(7o, so,T) is a function cr“ : Cfg* Dj. 
Given a strategy profile a = (ct^, ..., cr"), i.e., a strategy (t“ for every agent 
a € Ags, we obtain a unique (possibly infinite) run which we denote as run{a), 
i.e., a maximal sequence of configurations 

(70, So) ^ (7i,si) ^ ... 

where (70, sq) is the initial conhguration, and for all Ak+i ^ 0 we have s^+i {xi) = 
(T*((7o, So),..., (7fc, Sfc)) for all i e A, and Sk+i(y) = Sk(y) otherwise. If run{a) 
is finite, we let Sa denote the state associated to the last configuration of run{a). 

Preferences, Predicates, and Strategic Equilibria 

Each agent has certain preferences over the various possible outcomes of the 
mechanism. Given interpretation T and two outcomes o, o'gDx, agent i prefers 
o at least as much as o' whenever o >f o' holds. Often, the elements in Dx 
will be elements of some product space, so that, e.g., (01,02) G K x R will yield 
outcome oi for player 1 and outcome 02 for player 2, where (01,02) >i (0^,02) 
iff Oi > o'. 

An outcome function 0 : Cfg* Dx assigns an outcome to every terminal 
history, and we let O denote the the set of all outcome functions. Given a semi¬ 
game G(7, s,X) we then obtain a game G(7, s,Z, d), where for each terminal 
sequence of configurations c the associated outcome is d(c), and agent i prefers 
Cl to C2 iff d(ci) >i d(c2). Given profile ct, we usually write d{a) instead of 
d{run{a)), as we shall not be very careful about distinguishing a from run(a). 

Subgames of games will play a special role in the equilibrium notion to be de¬ 
fined subsequently. A game G'fj', s',X, d|G') is a subgame of a game G(7, s,X, d) 

iff there is a finite sequence of configurations (70, sq) (71, Si) 

{'ln,Sn) for some n > 0 such that (70, so) = (7.«) and (7„,s„) = (7', s'). 
The outcome function d|G' is the restriction of d to G', i.e., d|G'((7„, s„),..., 
(7„+fc, s„+fc)) = d((70, So,),..., (7„, s„),..., (7„+fc, s„+fc)). Similarly for a strat¬ 
egy profile a for G, we let cr|G' denote its restriction to G', where ct“|G'(( 7„, s„), 

• ■ ■ ) {ln+kj Sn+k)) — O' ((7O) Sq, ), . . . , {'Jnj S„), . . . , {'Jn+k > Sn+fc)). 

Now that we have defined how executions of mechanisms give rise to game 
trees, we can apply two well-known equilibrium notions from game theory 
(see, e.g., [ 11 ] for a discussion of these notions). Given a strategy profile 
cr = (ct^, ..., O'”) and a strategy r* for player i, let (t% (t“') denote the modified 
strategy prohle (a ^,..., r*, ..., cr”). Furthermore, let denote 

that the strategy profiles a and r differ at most regarding the strategy pre¬ 
scribed for player i. Gonsidering any game G(7, s, T, d), we call a strategy prohle 
cr a Nash eguilibrium (NE) in G iff for all agents i and strategies t® we have 
0(0") Furthermore, ct is a subgame-perfect equilibrium (SPE) iff 

for every subgame G' of G, cr|G' is a Nash equilibrium in G'. 
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We shall usually obtain an outcome function o from an extended predicate, 
to be explained now. Given a state s : MV —> Dj and an outcome o G Dx, we 
call (s, o) an extended state, or e-state for short. A predicate on X is simply a set 
of states P C Sx, and hence every FOL formula ip containing only variables of 
MV gives rise to a predicate (p^. Similarly, an extended predicate, or e-predicate 
for short, is a set of e-states P Q Sx x Dx, and every FOL formula which 
contains variables of MV plus a new outcome variable Xo ^ MV gives rise to 
an e-predicate. We say that e-predicate P is functional iff for every sGSx there 
exists a unique oGDx such that (s, o)gP. Given two predicates (or alternatively, 
two e-predicates), intersection, complementation, etc. can be defined simply set- 
theoretically. Given a predicate Pi and an e-predicate P2, however, we define 

Pi nP2 = {(S)0) G P2IS G Pi}- 

Games can be obtained from extended predicates as follows: Given semi¬ 
game G(7, s,X) and e-predicate Q, let Oq contain all the outcome functions 0 
which assign an outcome satisfying Q to every hnite history, i.e., 

Oq = {o G O \ Vrun{a) G Cfg* : if run{a) is finite then (scr,d(cr)) G Q}. 

Note that in general, Oq may be empty or contain multiple outcome assign¬ 
ments. But given e-predicate Q and some oq G Oq, we are able to turn the 
semi-game G(pf,s,X) into a game G(pf, s,X,dQ). 

4 Mechanism Correctness 

4.1 Hoare Logic: Prom Programs to Games 

Hoare in [ 7 ] introduced correctness assertions of the form {P}7{Q}, where 7 
is a program and P and Q are predicates. The intended interpretation of this 
assertion is that in every state which satishes P, any terminating execution of 
program 7 ends in a state which satishes Q. In this paper, we shall extend this 
approach to reason about the correctness of game-theoretic mechanisms under 
subgame-perfect equilibria. 

In lifting standard Hoare triples to games we generalise them in two ways. 
We can view the postcondition Q as specifying the winning condition for the 
game, i.e., all plays of the game ending in a state which satisfies Q are a win, 
all others a loss. Note that under the partial correctness reading, inhnite runs 
are in fact also treated as wins. Our hrst generalisation consists of moving 
from simple win/loss situations, represented by predicates, to general preference 
structures. This is achieved by moving from predicates to e-predicates which 
also specify the outcome or payoff at a state. Second and more importantly, we 
move from simple claims about the existence of a strategy profile satisfying the 
postcondition to more rehned claims about the existence of a strategy prohle 
which has an equilibrium property. This equilibrium property is generally quite 
complex, and it is the complexity of this equilibrium property which can present 
a challenge to compositionality, in particular to the Hoare inference rule for 
composing two programs/games (see lemma 1 below). 



Before defining our mechanism correctness assertions {P}”f{Q}, it is impor¬ 
tant to point out that we are following an extensional rather than an intensional 
approach (see also [10]). We assume that pre- and postconditions are predicates, 
i.e., semantic objects rather than formulas of some logical language. Naturally, 
this means that the calculus we present later is not fully syntactic. In the in¬ 
tensional approach, however, one runs into the problem of expressiveness, since 
it may happen that under a given interpretation the logical language is not 
rich enough to express all the preconditions needed. This complicates com¬ 
pleteness proofs considerably, due to the need for an arithmetisation of syntax 
(Godelisation), etc. Furthermore, we feel that this extra work yields more in¬ 
sights about the logic used for the assertion language (usually first-order logic) 
than about the game theoretic mechanisms and their equilibria, which is what 
we are interested in here. 

Due to its fully syntactic nature, it does seem likely that the automated ver¬ 
ification of mechanisms would benefit from using the intensional approach, and 
we do intend to investigate this approach in the future (see also comments in the 
last section). However, note that in contrast to most computer programs whose 
domain of computation contains at least the natural numbers, mechanisms like 
voting procedures often use a finite domain of computation, e.g., because there is 
only a small number of possible candidates running for president. In such cases, 
it may in fact be easier to do automatic verification using the extensions of the 
predicates directly. Second, even if this is not the case, the best logic to choose 
for automated verification may very much depend on the class of mechanisms 
under consideration, the theorem prover to be used, etc. Hence, for our present 
purposes, we decide to postpone these issues since they are more relevant for 
implementation, and the extensional approach conveniently allows us to do so. 

4.2 Mechanism Correctness and Implementation 

Assume that we are given some interpretation Z, a mechanism 7 , and e-predicates 
P and Q. Then we say that {P}"l{Q} is valid in I, denoted as Z |= {P}"l{Q}, 
iff 

for every (s, 0) G P, there is an outcome function 0 G Oq and a 

strategy profile cr such that cr is an SPE in G( 7 , s,Z, o) and o(a) = o. 

The notion defined indeed generalises the standard partial correctness as¬ 
sertions of Hoare in the following way: Given an arbitrary element d G Dx 
and a predicate P C Sx, let P* = {(s,(i)|s G P}. Then given any program 
7 G MPL(PRG) and predicates P and Q, the partial correctness assertion 
{.P} 7 {Q} holds in interpretation Z iff Z ^ {P*}l{Q*}- 

In order to link our mechanism correctness assertion to the game-theoretic 
literature on mechanism design and implementation theory [11, 9, 15], we shall 
define our version of the mechanism design problem more formally. Given a set 
of possible outcomes Dx of the mechanism and the set of preference profiles over 
Dx, a social choice correspondence f maps a preference profile (>i)ieA 3 s to a set 
of outcomes X C Dx- The idea is that at preference profile {>i)i^Ags, society 
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or the mechanism designer wants one of the outcomes in f {(>i)i^Ags) to be 
implemented or achieved. In case f{{>i)ieAgs) is empty, society is indifferent to 
the outcome actually realised. The mechanism design problem is to find a mech¬ 
anism which implements the social choice correspondence in a non-centralised 
manner, i.e., no matter what the preferences of the agents are, self-interested 
agents will have an incentive to play so that the outcome intended by the de¬ 
signer will obtain. We shall now see how this problem can be translated into 
our mechanism correctness assertions. 

For a preference profile {>i)i^Ags where each >iC Dx x Dj, let 2 ’[(>i)ieAgs] 
denote the model which is obtained from T by replacing the interpretation of the 
preference relations by the >i. Furthermore, for a given social choice correspon¬ 
dence /, let f*{x) = {(s,o) £ Sx X Dx\o £ f(x)}, and let Q be any functional 
e-predicate. Then we say that the pair (7, Q) SPE-implements a social choice 
correspondence / iff for all preference profiles {>i)ieAgs we have 

A{>i)ieAgs] h {/*{{>^)ieAgs)h{Q}■ 

To see what this statement actually expresses, let us unpack the definition: 
(7, Q) SPE-implements social choice correspondence / iff 

for all preference profiles (>i)ieAgs, for all states s £ Sx, and for all 
o £ f{{>i)i£Ags)j there is some 0 £ Oq and some strategy profile a 
such that a is an SPE for G'(7, s,X[(>j)jg^g5],d) and d{a) = o. 

Note that this notion of implementation is a weak notion which does not ask 
every but only some equilibrium profile to yield the desired outcome, hence 
strictly speaking we are dealing with mechanism design rather than implemen¬ 
tation theory. In the remainder of this section, we shall look at a few concrete 
examples of mechanism design. 

4.3 Auctions 

Over the domain of natural numbers, the mechanism 

ch{i,2}({a;i,a^2}) 

can represent a sealed-bid auction where the two players simultaneously choose 
their bids, e.g., in euros, in order to obtain some desirable object, say a piano. 
Since this game is atomic, the notions of SPE and NE coincide, and hence we 
can phrase the existence of Nash equilibria using the correctness notion defined 
earlier. 

Consider the case of a second-price auction where the player who makes the 
highest bid has to pay the price of the loser’s bid. We assume that our model 
X has the natural numbers as its domain, and contains two constants vi and V2 
whose values denote the private valuations of the players. Instead of representing 
outcomes as pairs o = (01,02) we shall assume that there are two outcome 
variables oi and 02 which determine the payoffs of player I and 2 , respectively. 
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A player’s payoff is 0 if he fails to obtain the piano, and his valuation minus 
the other player’s bid if he does obtain the piano. The preference ordering over 
elements of the domain is the obvious one: di >i d 2 iff di > d 2 - Note that a 
player’s preference relation is completely determined by his valuation. 

The postcondition of the second-price auction is the e-predicate expressed 
by the following formula ip: 

{xi >X2—^ (oi = Vi - X2 A 02 = 0)) A (xi < X2 ^ {oi = 0 A 02 = V2 - Xi)) 

It is easy to see that this postcondition expresses the payoffs of the players in 
the second-price auction. Note also that the postcondition fomalises the tie¬ 
breaking rule which assigns the object to player 1 in case the bids are equal. 
Now consider the e-predicate expressed by the following formula ip: 

{vi > V2 ^ (oi = Vi — V2 A 02 = 0)) A (wi < W2 ^ (oi = 0 A 02 = W2 — Vi)) 

We claim that X ^ {ip^}ch.{i 2 }{{xi,X 2 }){ip^}: If player I’s valuation is at 
least as high as player 2’s valuation, then the auction has a Nash-equilibrium in 
which player 2’s payoff is 0 and player I’s payoff is the difference between the 
valuations. Similarly in case player 2’s valuation is higher. 

To see why this is so, note that it is a well-known result in game theory 
(see, e.g., [II]) that in a second-price sealed-bid auction, bidding your valuation 
results in a Nash equilibrium (in fact, it is even a dominant strategy). Hence, 
if each player bids Xi = Vi, the outcomes are the ones specified by ip, and the 
strategies are in equilibrium. 

In fact, from the validity of {ip^}chs^i 2 }{{xi,X 2 }){ip^} we can derive some 
information about the nature of the winning strategies. For suppose w.l.o.g. 
that vi > V2- Using precondition ip, we know that oi = vi — V2 and 02 = 0. 
Now we can distinguish two cases: In the first case, we have a Nash equilibrium 
(and hence also a SPE) where player 1 bids less than player 2, i.e., xi < X 2 - 
Now using the postcondition ip and the fact that the outcome variables Oi and 
02 are never changed by any mechanism, we know that Oi = 0 and 02 = V 2 — Xi. 
Hence xi = V 2 = vi and X 2 > V 2 = vi, i.e., the players’ valuations must be the 
same and player 2 must bid higher than his valuation. It is easy to check that 
these bids indeed constitute a Nash equilibrium. In the second case, we have 
a Nash equilibrium with xi > X 2 - Again using the postcondition, 02 = 0 and 
oi = vi — X 2 - Hence, X 2 = V 2 and xi > V 2 - Thus, player 2 bids his valuation 
and player 1 bids at least player 2’s valuation. Again, these bid combinations 
all constitute Nash equilibria, and our intended equilibrium, where each player 
bids his own valuation, is included in this second case. 

In a private-value environment, a sealed-bid second-price auction is essen¬ 
tially outcome equivalent with an English auction, where bidders keep increasing 
the price over a number of bidding rounds until there is no more bidder who 
wants to obtain the object for a higher price. In an English auction, bidding 
slightly more than the second-highest valuation will suffice to obtain the object. 
Analogously, we can consider a sealed-bid first-price auction where the win¬ 
ner has to pay his own bid rather than the second-highest bid. The first-price 
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auction is essentially outcome equivalent to the Dutch (or descending) auction, 
where the auctioneer continues to lower the price of the object until a player 
decides to take the object for the current price. If the players’ valuations are 
not public, the safe strategy is to stop the auction just below one’s valuation, 
the result being that the player with the highest valuation will obtain the object 
for the price of almost his valuation. 

Contrary to these results, we shall show in section 6 that from the perspective 
of SPEs, the Dutch auction is also similar to a sealed-bid second-price auction. 
In order to apply SPEs as a solution concept, we need to assume that players’ 
preferences are public. In an auction, this means that players know each other’s 
valuations. In this case, however, if vi > V 2 , player 1 can wait longer before 
calling out to stop the Dutch auction, he can wait until the prices reach V 2 or just 
above. Hence, when preferences are public, it would seem that Dutch auction 
and second-price auction share a SPE. We will verify this claim in section 6, 
thereby also obtaining the precise conditions for this equivalence. 

Finally, a further remark relating auction preconditions to the notion of 
SPE-implementation. In a second-price auction, we want to SPE-implement 
the social choice correspondence / which assigns to a preference profile (vi, V 2 ) 
the outcome ( 01 , 02 ) with oi = Vi — V 2 and 02 = 0 in case Vi > V 2 and 02 = 
V 2 — Vi and Oi = 0 in case Vi < V 2 - While the precondition ip given above 
does capture this social choice correspondence in an intuitive sense, note that 
it is not the precondition used in our definition of SPE-implementation. This 
is because SPE-implementation, as we defined it, requires a correctness claim 
for each preference profile separately. In contrast, our precondition p covers all 
preference profiles in one precondition, since it conditions the assigned outcomes 
on the relationship between the valuation constants. This formulation leads to 
a much more general result and hence is usually preferable. In the next section, 
we shall present an example using the notion of SPE-implementation literally. 

4.4 Solomon’s Dilemma 

The biblical dilemma of Solomon (1 Kings 3:16-28) has often been used to illus¬ 
trate the basic idea of implementation theory [11, 9]. In the same spirit, we shall 
use it here to illustrate our notion of SPE-implementation. The game-theorist 
will get the additional benefit of seeing a well-known example of implementation 
theory translated into our framework. Solomon’s dilemma is that two women 
have come before him with a small child, both claiming to be the mother of the 
child. 


He sent for a sword, and when it was brought, he said, “Cut the 
living child in two and give each woman half of it.” The real mother, 
her heart full of love for her son, said to the king, “Please, Your 
Majesty, don’t kill the child! Give it to her!” But the other woman 
said, “Don’t give it to either of us; go on and cut it in two.” Then 
Solomon said, “Don’t kill the child! Give it to the first woman, she 
is its real mother.” 
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The story exemplifies the need for a mechanism very well: Since Solomon 
does not know who the real mother is (i.e., he does not know the women’s pref¬ 
erences), he cannot impose the outcome of his choice function directly. Rather, 
he needs to devise a mechanism which will provide an incentive to the women 
to reveal this information to him. 

To mathematically model Solomon’s situation, we consider three outcomes: 
a (baby is given to Anne, player 1 ), b (baby is given to Bess, player 2 ), and c 
(baby is cut in two). Solomon has to consider two possible situations: In case 
Anne is the real mother, the preference profile is given by 9 i, in case Bess is the 
real mother, the preference profile is 62- 

6*1 : a >1 & >1 c and b >2 c >2 a 
6*2 : a >i c>i b and b >2 a >2 c 

Solomon’s problem is to hnd a mechanism which implements the social choice 
correspondence / for which /(6*i) = {a} and /(02) = {b}. In spite of Solomon’s 
apparent cleverness, it turns out that / is not Nash-implementable (see [ 9 ] 
for a proof). However, by slightly modifying the problem, one can obtain an 
implementation nonetheless. 

Let us consider the situation where instead of quarreling about a child, Anne 
and Bess argue about who is the owner of a painting. Furthermore, we allow 
Solomon to impose hues on the two women, i.e., we allow for monetary side 
payments. We can then think of the possible outcomes as triples (x,mi,m2), 
where x € {0,1, 2} denotes who obtains the painting (0 denoting that it is cut in 
two), and rrii denotes the fine player i has to pay to Solomon. Now suppose that 
the legitimate owner of the paining has valuation vh and the other woman has 
valuation vl, where vh > vl > 0 . Then if player i does not get the painting, 
her payoff is —mi. If she does get the painting, her payoff will be vn — mi in case 
she is the legitimate owner, and vl — mi otherwise. If player i is the legitimate 
owner, these payoffs will then induce a preference profile 9 i in the obvious way. 
In this new setup, Solomon wishes to implement the social choice rule / for 
which f{ 9 i) = {(i, 0 , 0 )}, i.e., the painting is given to the legitimate owner and 
nobody has to pay any hues (we assume here that Solomon does not engage in 
dispute resolution to make money). More precisely, Solomon is looking for a 
pair (7,Q) which SPE-implements /, i.e., for which 

I[ 9 i] h {O = ( 1 , 0 ,0)}7{g} and I[92] h {o = ( 2 , 0 ,0)}7{g}. 

The following mechanism 7 achieves this goal: First, Anne is asked whether 
the painting is hers or not. If she says no, the painting is given to Bess and no 
fines are imposed. Otherwise, Bess is asked the same question. If Bess answers 
the painting is not hers, it is given to Anne, again without imposing any fines. 
Finally, in case both players have claimed to be the owner of the painting, Anne 
is fined a small amount e > 0 and Bess gets the painting but has to pay a large 
amount M for which vl < M < vh- The mechanism 7 can be programmed as 
follows, where we take the real numbers as our domain: 
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ch{i}({a;i}); 

if xi > 0 then owner := 2 
else ch{2}({a;2}); 

if a;2 > 0 then owner := 1 else owner := 0 

As for the payoff specification, let Q be the e-predicate corresponding to the 
following formula: 


{owner = 1 ^ o = (1, 0, 0)) 

A {owner = 2 ^ o = ( 2 , 0 , 0 )) 

A {owner = 0 ^ o = ( 2 , e, M)) 

Game theoretically, it is easy to verify that for preference profile 6 i, the following 
game form has a subgame-perfect equilibrium yielding outcome (i, 0 , 0 ). We 
will return to this example in section 6 and give a formal verification of this 
mechanism. 

1 |-► 2 I-►( 2 ,e,M) 


( 2 , 0 , 0 ) ( 1 , 0 , 0 ) 

5 Axiomatic Mechanism Verification 

5.1 A Hoare-style Calculus 

Below we present a calculus for deriving the correctness assertions we introduced 
above. Note that the calculus is a natural generalisation of the standard Hoare 
calculus, where the only addition is an axiom for the new construct ch.4. Given 
e-predicate P, we let P[xlt] = {(s, o) G Si x Di\{sf,o) G P}. 


{Q[x/t]}x := t{Q} 

(ass.) 

{wpre{chA {X),Q, I)]chA (-A) {Q} 

(choice) 

{Phi{R} {Rh 2 {Q} 
{P}ll-, 12 {Q} 

(comp.) 

{PnB^}7i{g} {Pn:^}72{Q} 

(if) 

{P}if B then 71 else 72!^} 

{PnB^}-f{P} 

{Pjwhile B do 7{P D B^} 

(while) 

P C P\ {P'MQ'}, Q'CQ 

{PMQ} 

(l.c.) 
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In the choice axiom, wpre{'y, Q, X) refers to the weakest preeondition of Q under 
7. Given interpretation I, mechanism 7, and e-predicate Q, we define wpre as 
follows: 

wpre{'f,Q,T) = {(s,o) G Sj x Dj \ 3 d G Oq 3 ct : ct is an SPE in 

G(7, s,X, d) and d{a) = 0} 

Note that by definition, X ^ {wpre{'y,Q,X)}'-f{Q}, and for every e-predicate P 
such that X ^ {P}j{Q}, we have P C wpre{'-f,Q,X). Weakest preconditions 
will play an important role in the completeness proof of section 5 . 3 . 

Let Aj be the smallest set of correctness assertions {P}j{Q} over X which 
includes the axioms and is closed under the inference rules above. We shall 
usually write {Pj'jiQ} G Ax as X h {P}j{Q}. In order to gain some intu¬ 
itions regarding this calculus, the reader may wish to consult section 6 before 
proceeding with the subsequent soundness and completeness results. 

Before establishing soundness and completeness of the calculus presented, 
some further comments regarding the choice axiom are in order. As mentioned, 
the calculus is extensional in the sense that preconditions and postconditions are 
semantic rather than syntactic objects, predicates rather than formulas of, say, 
first-order logic. As a consequence, we do not get a syntactic proof system, but 
rather what one might call a compositional proof methodology. Hence, while 
the precondition of the choice axiom may seem tautological, it still suffices to 
reduce reasoning about subgame-perfect equilibria in complex games to reason¬ 
ing about Nash equilibria in simple games. Hence, while we are still in need of 
a semantic argument to establish the Nash equilibrium, it is a simpler semantic 
argument which applies only to the simplest game, the atomic choice game. As 
the examples in section 6 will illustrate, this decomposition is achieved by mov¬ 
ing the complexity from the mechanism into the mechanism’s postcondition or 
payoff assignment, and it is this which the calculus allows one to do. In other 
words, the complexity is moved from the dynamic to the static part, from the 
mechanism to the predicates describing pre- and postconditions. 

In verification practice, it turns out that the precondition of the choice ax¬ 
iom is often rather analogous to the precondition of the assignment axiom, 
where Nash equilibrium strategies are substituted for the choice variables in 
the precondition. Slightly more formally, suppose that the postcondition Q is a 
functional e-predicate which simply assigns outcomes based on the choice vari¬ 
ables, and that Q only contains these choice variables and no other variables. 
An example of such a postcondition is the postcondition 1/) of the second-price 
auction discussed in section 4 . 3 . Since this postcondition depends on the state 
only in terms of the choice variables, we can say that the weakest precondition 
of the choice construct is simply Q where each choice variable Xi is replaced 
by the Nash equilibrium strategy of player i in the choice game played in any 
state with payoffs given by Q- In iact, this is precisely what happened with 
the precondition ip of the second-price auction where Xi is replaced by Vi. In 
general, however, things are not quite so simple, as the analysis of the Dutch 
auction in section 6 will illustrate. 


15 



5.2 Soundness 

The following lemma presents the first of the two most difficult cases of the 
subsequent soundness result. It guarantees that equilibria of subgames can be 
composed into equilibria of the supergame. 

Lemma 1 (Composition) If we have bothX ^ {L’}7i{.R} andJ ^ {R}'y2{Q} 
then I ^ {P}li\l2{Q}- 

Proof. Let (s,o) S P, and consider G(7i; 72, s,T). By our first assumption, 
there is an outcome function bi S Or and a strategy profile cti such that cti is 
an SPE in Gi(7i, s,P,di) and di(CTi) = o. 

Now for every finite run ti of Gi ending in some terminal state t with 
di(Ti) = Ot, since (t, o*) G R, we know by our second assumption that there is 
some outcome function dt € Oq and some strategy profile at such that at is an 
SPE in Gt{j2,t,I,dt) and Ot(at) = Ot- Taken together, ai and the at induce a 
strategy profile a for G, and similarly di (for the infinite runs of Gi) and the dt 
induce an outcome function 0 G Oq for G. Hence, it remains to show that a is 
an SPE and that d{a) = o. 

First, it is easily seen that d{a) = o, for di(CTi) = o, and so in case cti is 
finite, (scti ,0) G P, from which by definition it follows that d{a) = o. Second, 
we need to show that a is an SPE in G(7i; 72, s,P, d). So consider any subgame 
G'{Tr,t,I) of G. In the easy case, G' will be a subgame of some Gr, where t' 
is a terminal state in Gi, for in this case, our second assumption immediately 
guarantees the equilibrium property. In the more complicated case, G' lies 
partly in Gi. For simplicity, we shall for the rest of this argument assume that 
a = ai-a2 refers to its restriction to G’. So consider any strategy profile ti-T 2 
for G' such that a = ai-a2 ti-T2 = r, where ai and ti both yield finite runs. 
Suppose further that d{a) = oq and d(T) =02, as depicted below. 



Now supposing that d(ri-CT2) = oi, we know by definition of a that oi >i 02, 
and that di(Ti) = oi. Furthermore, since Ui was an SPE in Gi, we know also 
that di(cri) >i Oi- Since Oq = d(a) = di(ai), we can conclude by transitivity 
that oo >i 02. 
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Finally, note that the case where either ai or ti or both are infinite can be 
treated by a simplification of the above argument. □ 

The following lemma isolates the arguments needed to prove the soundness 
of the inference rule for iteration. Our assumption that our model Z contains a 
uniformly worst element is needed here. 

Lemma 2 If X 1 = {P n B^}j{P} then X ^ {Pjwhile B do yjP n B^}. 

Proof. Roughly speaking, the proof is an iterated application of the preceding 
composition lemma, but a few subtleties have to be dealt with, in particular the 
possibility of newly arising infinite runs. 

Suppose that (s, o) G P. In order to define a strategy a and outcome function 
0 for G(while B do 7, s,Z), we shall inductively define strategy profile and 
outcome function dn for game G„ which consists of the first n iterations of game 
G. Game Go simply consists of configuration (A, s), strategy profile ctq consists 
of doing nothing, and as an outcome function we take do ((A, s)) =0. Note that 
do G Op. 

For the inductive step, define G„+i as Gn where for every terminal state 
(t, Ot) G Pn B^ in Gn we concatenate Gt(7,t,I) to t. By our assumption, for 
each such terminal state, we have an outcome function d* and a SPE strategy 
profile at, and we define cr„+i and d„+i in the natural way, by extending ct„ 
and On to G„+i using the dt and at. 

Now with slight abuse of notation, we can define strategy profile a and 
outcome function d for G as follows: We take a = IJii-S-, we simply take 
the profile generated by the at. Similarly, we define d = [J^Oi, i.e., every run r 
of G which is part of some Gt is evaluated according to di. Furthermore, there 
may be new infinite runs in G which are not part of any Gj, but are instead 
generated by an infinite number of plays of 7 itself. Given such an infinite run 
r, we define d(T) = Oc in case there is some j such that for all k > j we have 
dfc(T|Gfc) = Oc', otherwise, we let d(T) = —00. Thus, for infinite runs which 
converge on a certain outcome Oc, we assign Oc to the run, and otherwise simply 
the uniformly worst outcome. Note that d G 

Observe first that d{a) = o. For we have di(CTi) = o, d2(cr2) = di(cri) = o, 
etc., and so in case a is finite, there is some maximal k such that d(fT) = dk{ak) = 
o. In case a is infinite, we have a constant and hence converging sequence of 
outcomes consisting of o only. 

Hence, all we need to show is that cr is an SPE in G(while B do 7, s,X,d). 
So consider any subgame G' of G and a strategy t a such that d{a) = oq and 
d(r) = 02. Now the reasoning can proceed along the lines of the composition 
lemma and the figure given there: In case r yields a run which lies in Gk, we can 
show by induction on k that og 02, each step involving the reasoning carried 
out in the composition lemma. On the other hand, in case r is an infinite run 
generated by infinitely many 7-repetitions, we need to distinguish two cases: In 
the easy case where d(T) = —00, the result is obvious. In the more complicated 
case, d(r) = Oc due to a sequence of outcomes which converges on Oc. Suppose 
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k is the smallest number for which bfe(r|Gfe) = Oc- Then again we can apply the 
reasoning of the composition lemma k times to show that og >i Oc- n 


Theorem 3 (Soundness) Ifl'r {P}j{Q} then I |= {P}j{Q}. 

Proof. The proof is by induction on the length of the derivation, so we start with 
showing the validity of the axioms. The soundness of the ch^ axiom follows by 
definition. 

For X h {Q[x/t\}x := t{Q}, suppose that (s,o) S Q[x/t\. We know that 
all runs in G{x := t,s,X) are hnite. Since no choices need to be made in 
G{x := t,s,X), the one existing strategy profile a is trivially an equilibrium 
in G{x := t,s,X,d) for any outcome function b G Oq, and in particular for 
the outcome function b which assigns o to a. Note that since (s, o) G Q[x/t], 
{sf,o) G Q, and hence b G Oq. 

Turning to the inference rules, note that the case of composition is treated 
in lemma 1, and the logical consequence rule is an easy consequence of the se¬ 
mantic definition of Z ^ {P}l{Q}- For conditional branching, the conclusion 
follows directly from the two premises, given that G(if B then 71 else 72, s,Z) 
is either Gi(7i, s,X) or G2(72, s,X). Finally, lemma 2 takes care of iteration. □ 

Note that the soundness result also holds for Nash equilibria: If in the deh- 
nition of Z ^ {P}l{Q} replace SPE by NE, the above soundness result can 
still be proved. This is as it should be, since every subgame-perfect equilibrium 
is also a Nash equilibrium. 

5.3 Completeness 

Like in the completeness proof for the standard Hoare calculus, the notion of 
a weakest precondition plays an important role for our calculus as well. The 
following lemma contains the essential argument for the completeness result. 

Lemma 4 (Decomposition) IfX\= {Z*}7i; 72{Q}; then for some R we have 
I h and X h {R}12{Q}- 

Proof. Our assumption is Z ^ {P}li]l2{Q}- Let R = wpre{')2,Q,P), then all 
we need to show is that Z \= {P}7i{i?}. So supposing that (s, o) G P, we need 
to provide an outcome function bi G Or and a strategy profile ui such that cti 
is an SPE in Gi(7i, s,Z, bi) and bi(CTi) = o. 

Consider the outcome function b G Oq and the strategy profile a for G(7i; 72, 
s,Z) provided by our assumption. We let ci = ct|Gi. As for the definition of 
bi, for every inhnite run r of Gi we let bi(r) = b(r). If on the other hand r 
is finite, we define bi(T) = b(T-CTi-), where Or = o\Gt. By our assumption, we 
have bi(CTi) = d{a) = o. Furthermore, since (s,-, b(T-crT-)) G P, bi G Or. 

Hence, all we need to show is that <Ji is an SPE in Gi(7i, s,Z,bi). So 
consider any subgame G( = (tt, t,Z, bi) of Gi, and a strategy prohle ti ui, 
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where we take oi(cti) = og and di(ri) = oi. Assume first that both cti and 
Ti are finite. Considering G" = (tt; 72,d), we know that there is a profile 
(72 (derived from a) such that cri-CT2 is an SPE in G' and cti-CT2 ti-CT 2. The 
situation is depicted below. 



By definition, we know that di(CTi) = d(cri-cr2) = oq and di(Ti) = d(ri-CT2) = 
oi, and hence we must have og >i oi. 

Note that in case either a\ or ti or both are inhnite, a simplified version of 
the above argument can be applied. □ 

The above lemma is what distinguishes subgame-perfect equilibria from Nash 
equilibria, since only the former can be decomposed in the way shown by the 
decomposition lemma. For Nash equilibria, the above lemma fails: when dehn- 
ing di in the above proof, we cannot be sure that di G O^, since a subprofile 
of an equilibrium profile may itself not be an equilibrium prohle. Consequently, 
also the following completeness result does not hold for Nash equilibria. 

Theorem 5 (Completeness) //Z \= {T’jqlQ} then T \- {P}j{Q}. 

Proof. The proof proceeds by induction on the structure of 7. For x := t, note 
that for any state s, the game G{x := t, s,Z) contains only a single finite run 
ending in state sf. Observe that P C Q[x/t\: if (s, o) G P, every run terminates 
in state (sf, o) G < 5 , and hence (s, o) G Q[x/t\. Applying the logical consequence 
rule to the assignment axiom, we then obtain I h {P}x := t{Q}. 

For chA, we use the axiom and the logical consequence rule, and for 71; 72, 
we can appeal to the decomposition lemma, induction hypothesis, and the com¬ 
position rule. The case of if B then 71 else 72 is straight-forward, so we only 
need to deal with the while-loop. 

For iteration, suppose that 2 |= {Pjwhile B do jlQ}. Similarly, to the 
proof of the decomposition lemma, we let R = wpre{vh±le B do 7, Q,2). First, 
we shall establish that 2 ^ {R C B^}'y{R}. By definition, we have 2 ^ 
{Pjwhile B do 'y{Q}. From this, 2 \= {R n while B do 'y{Q} is eas¬ 

ily seen to follow. Now we can apply the decomposition lemma: Since the R 
provided by the proof of the decomposition lemma is precisely the one we defined 
above, we can conclude that 2 \= {RCi B^}j{R}. 
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Now using the induction hypothesis and applying the while-rule, we obtain 
X h {i?}while B do yji? H B^}. 


Since P C R and R fl B^ C Q, we can apply the logical consequence rule to 
derive Z h {Pjwhile do yjQ}. □ 


6 Applying the Calculus - Some Examples 

6.1 Solomon’s Dilemma 

Consider again Solomon’s 2 -stage mechanism given in section 4 . 4 , where we will 
replace the variable owner by w to save space. We will show one of the two 
required correctness claims, namely that X[ 6 i\ h 

{o= (1,0,0)} 

ch{i}({a;i}); 

if Xi > 0 then re := 2 

else ch|2}({a;2}); 

if a;2 > 0 then w := 1 else w := 0 

{(w = 1 ^ o = ( 1 , 0 , 0 )) A (w = 2 ^ o = ( 2 , 0 , 0 )) A (w = 0 ^ o = ( 2 , £, M))}, 

corresponding to the situation where player 1 is the real owner of the paint¬ 
ing. Note that for ease of notation we are now simply representing (extended) 
predicates by formulas in first-order logic. 

Denoting the postcondition by Qq, we have Z[6*i] h {o = { 2 ,e,M)}w := 
0 {Qo} and I[ 9 i] h {o = ( 1 , 0 , 0 )}'u; := IjQo} using the assignment axiom. 
Hence, by the if-rule we have I\ 9 i\ b 

{(x2 > 0 ^ o = ( 1 , 0 , 0 )) A (x2 < 0 ^ o = ( 2 , £, M))} 

if a;2 > 0 then w := 1 else w := Q 

{Qo}. 

Denote the new precondition by Qx. Since in 9 i, we have ( 1 , 0 , 0 ) >2 ( 2 ,£, M), 
we know that when choosing a value for X2^ player 2 will choose the outcome 
( 1 , 0 , 0 ), and hence we haveZ[ 0 i] h {o = ( 1 , 0 ,0)}ch{2}({a;2}){(5i}- On the other 
hand, we know by the assignment rule that I[ 9 i] h {o = (2, 0,0)}r(; := 2 {Qo}. 
Hence, using the if-rule and composition, we have X\ 9 i\ h 

{(xi > 0 ^ o = ( 2 , 0 , 0 )) A (xi < 0 ^ o = ( 1 , 0 , 0 ))} 
if Xi > 0 then w := 2 

else ch{2}({x2}); 

if X2 > 0 then w := 1 else ru := 0 

{Qo}) 

where we denote the new precondition by Q2- Finally, since ( 1 , 0 , 0 ) >1 ( 2 , 0 , 0 ), 
player 1 will choose (1,0,0) in an equilibrium, and so we have X[ 9 i\ h {o = 
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( 1 , 0 , 0 )}ch{i}({a;i}){( 52 }- Using the composition rule, we have thereby suc¬ 
ceeded in verifying the original claim, that the 2-stage mechanism does indeed 
provide an SPE-implementation solving Solomon’s (modified) dilemma. 


6.2 Auctions 

Second-Price Sealed-Bid Auction 

We have already presented the sealed-bid second-price auction in section 4 . 3 . We 
argued that in the relevant model T where two players have private valuations 
represented by the constants vi and V2, we have I (= 

{(vi > W2 —> (oi = — ^2 A 02 = 0 )) A (wi < W2 ^ (oi = 0 A 02 = ^2 — Vi j)} 

{(xi > X2 ^ (oi = rii — a;2 A 02 = 0 )) A (xi < 0:2 ^ (oi = 0 A 02 = ^2 — a^i))}, 

due to the fact that we obtain a Nash equilibrium if each player bids his 
valuation, i.e. Xi = Vi. We abbreviate the given precondition with P and 
the postcondition with R. Note that P is not the weakest precondition of 
G'(ch|i 2}({a^i5 3^2}), R,^), and hence X h {P}ch{i_2}({a^i) a:2}){i?} is not an ax¬ 
iom. This is because there are equilibria other than the one mentioned. For 
example, suppose that vi > V2- Then if V2 < xi = X2 < vi, we also have a 
Nash equilibrium. Hence, for V2 < k < vi, we can also consider the following 
precondition Pk 


(rii > r;2 — > (oi = vi — /c A 02 = 0)) A (fi < ^2 ^ (oi = 0 A 02 = 1^2 — k)) 

for which we also have T ^ {Pk}cii^i^2}i{xi, X2}){R}■ Consequently, PkX P 
is weaker than P for /c ^ V2, and hence I h {P}ch{i,2}({a;i,a:2}){P} is indeed 
not an axiom. Still, it can be easily obtained from the choice axiom using the 
logical consequence rule. 

Dutch Auction 

We shall now illustrate the calculus in action for verifying the more complex 
Dutch auction which involves a while loop. In fact, we shall illustrate that the 
Dutch auction is equivalent to the preceding sealed-bid second-price auction 
in the very weak sense that the Dutch auction has the same subgame-perfect 
equilibrium as the sealed-bid second-price auction, where the player with the 
higher valuation receives the object, paying the price of the other player’s valu¬ 
ation. More formally, we shall show that both implement the same social choice 
correspondence defined in section 4 . 3 , under certain conditions. 

As mentioned in section 4 . 3 , in a Dutch auction, the auctioneer continues 
to lower the price of an object until a player decides to take the object for 
the current price. Over the domain of natural numbers, the Dutch auction is 
captured by the following mechanism a: 

p := init; 
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w := 0; 

while p> 0 Aw = 0 do 
cii{i,2}({a;i,a;2}); 
if Xi > 0 thenw := 1 

else if a;2 > 0 then w := 2 

else p := p — 1 

Variable w keeps track of the winner, p keeps track of the current price, and is 
initialised to some value init. For each offer, both players can choose a nonnega¬ 
tive number signaling their desire to buy the object for price p. As the algorithm 
is written down here, in case both players want to buy the object, player 1 gets 
it. Note that it is also subtleties like these which provide an argument for 
formally specifying and verifying mechanisms. The following postcondition Q 
naturally assigns payoffs at the end of the Dutch auction: 

{w = 1 ^ {0i = Vi — p A 02 = 0 )) 

A {w = 2 ^ {oi = 0 A 02 = V2 — p)) 

A (ic = 0 ^ (oi = 0 A 02 = 0 )) 

Our goal will be to show that I h {P}a{Q}, i.e., just like the sealed-bid auction 
(ch{i 2}({a:i, 0:2}), R) SPE-implements our desired social choice correspondence, 
so does (a, Q). 

As in standard program verification, the art of proving the correctness of a 
while-loop lies in finding an invariant which remains true at the beginning of 
every loop execution. Consider the following invariant Inv: 

vi > V2 > 0 A p > W2 A re e { 0 , 1 , 2 } 

A (w = 1 ^ (oi = — p A 02 = 0 )) 

A (w = 2 ^ (oi = 0 A 02 = U2 — p)) 

A (w = 0 ^ (oi = — U2 A 02 = 0 )) 

Note that in order to simplify the exposition we have restricted ourselves to 
the case where vi > V2, but this restriction is in no way essential. The invariant 
is similar to the desired postcondition Q, the main difference lies in the situation 
where there is no winner. In that case, our desired outcome will be the SPE of 
the remaining subgame, the outcome designated by our social choice function, 
oi = V1—V2 and 02 = 0 . Besides these winning conditions, we state the range of 
variable w as well as two conditions for V2- First, V2 must never be greater than 
the current price, for our equilibrium strategies force us to exit the loop at V2- 
If, e.g., the auction started with a price below U2, player 1 could immediately 
take the object and thereby receive a payoff higher than vi — V2- Second, V2 
must be strictly greater than 0, for otherwise, it would be optimal for player 1 
to take the object in the last round, where the price p = 1, and hence obtaining 
a payoff lower than vi — V2- Note that the need for these additional constraints 
was discovered in the verification process and hence the “discovery” of these 
crucial side conditions should be regarded as a result of the verification effort. 

We will now proceed to show that Inv is indeed an invariant, i.e., that I F 
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{Inv Ap> 0 Aw = 0 } 
ci>-{i,2 }i{xi,X2}); 
if Xi > 0 thenw := 1 

else if 0:2 > 0 then w := 2 

else p := p — 1 

{Inv} 

Note that in fact, p > 0 is already implied by Inv which means that if Inv is 
indeed an invariant, the auction can never terminate due to the price having 
reached 0 . Hence, for the purposes of verifying the desired equilibrium, the 
condition p > 0 is redundant in the guard condition of the while-loop. 

To begin with, applying the assignment rule and the if-rule, it is easy to 
check that X h 

{wi > U2 > 0 A p > W2 A (a;i > 0 ^ (oi = — p A 02 = 0 )) 

A ((a;i = 0 A 0:2 > 0 ) —> (oi = 0 A 02 = W2 - p)) 

A ((a:i = 0 A 0:2 = 0 ) ^ Inv[p/p — 1 ])} 
if Xi > 0 thenw := 1 

else if 0:2 > 0 thenw := 2 

else p := p — 1 

[Inv], 

where Inv[p/p— 1 ] results from substituting p — 1 for p in Inv. Denote the new 
precondition as Inv2. Now we claim that X h 

{vi > r)2 > 0 A p > W2 A w = 0 A (p < U2 ^ (oi = ui — p A 02 = 0 )) 

A {p > V2 ^ (oi = Vi — V2 A O2 = 0 ))} 

ch{i,2}({a;i,a;2}) 

{Inv2} 

Assume that fi > f2 > 0 , and consider a state s where p > V2 and w = 0 . We 
distinguish two cases. First, if p < U2 (i-e., p = V2), both players asking for the 
object, i.e., xi > Q and X2 > 0 , constitutes a Nash equilibrium in the game with 
payoffs according to Inv2, with payoffs oi = Vi —p and 02 = 0 . Second, suppose 
that p > V2. In this case, both players declining the object, i.e., a;i = a;2 = 0 , 
constitutes a Nash equilibrium. Player 2 should not ask for it since the price 
exceeds his valuation, and player 1 should not ask for it since the price will 
be lower in the next round; formally, declining the object yields oi = vi — V2, 
whereas demanding the object only yields oi = Vi — p. Note that here it is 
essential that V2 > 0, since it allows us to conclude that also p — 1 > 0, i.e., we 
have not reached the last auction round yet, there will be another round with a 
lower price. 

Denote the new precondition as Inv^. Note that Inv A w = 0 C Inv^. 
Hence, by using the composition rule and the logical consequence rule, we have 
established that Inv is indeed an invariant of the loop. Hence, we can apply 
the while rule to derive that X h 

{Inv} 
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while p>OAw = Odo 
cli{i,2}({a;i,a;2}); 
if Xi > 0 thenw := 1 

else if a;2 > 0 then w := 2 

else p := p — 1 

{Inv A -'(p > 0 A w = 0 )} 

So to conclude the verification of the Dutch auction, it suffices to note two 
things. First, Inv A ^{p > 0 Aw = 0 ) C Q, and hence we can apply the logical 
consequence rule to obtain the desired postcondition Q. Second, we have X h 

{ui > U2 > 0 A init > U2 A oi = ui — U2 A 02 = 0 } 
p := init; 
w := 0 
{Inv} 

Hence, using the composition rule, we have now shown that X h 

{ui > U2 > 0 A init > U2 A oi = ui — U2 A 02 = 0 } 
p := init; 
w := 0; 

while p> 0 Aw = 0 do 
ch{i,2}({a:i,a;2}); 
if Xi > 0 thenw := 1 

else if a;2 > 0 then w := 2 

else p ■= p — 1 

{(w = 1 —> (oi = ui — p A 02 = 0 )) A (re = 2 —> (oi = 0 A 02 = U2 — p)) 

A (w = 0 ^ (oi = 0 A 02 = 0 ))} 

Note that the verification process has revealed two crucial details which had 
to be added to our original precondition P. First, init > V2- This means 
that we need to make sure that we start the auction at a price that is high 
enough. If the players’ valuations are not known, the choice of the initial price 
can indeed be a problem. On the other hand, the condition tells us exactly what 
“high enough” means, in particular, the initial price does not need to exceed 
everybody’s valuation. Second, V2 > 0 . Hence, it does not suffice if only a 
single player has a non-zero valuation of the object. The problem here lies in 
the fact that in order to obtain the object one has to pay at least something, 
and if the other player’s valuation is zero, that something is more than the other 
player’s valuation, and hence the payoff is in turn lower than expected. Hence, 
we have succeeded in verifying that (a, Q) does indeed implement the social 
choice correspondence of section 4.3 associated with the second-price auction, 
on condition that init > V2 >0. 

Finally, it should be emphasised again that the weak equivalence of the 
Dutch auction and the sealed-bid second-price auction demonstrated here is very 
weak indeed, since these auctions are very different. Crucially, in the sealed- 
bid second-price auction, a player does not need to know the other player’s 
valuation. It suffices that each player submits his own valuation as a bid. In 
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the Dutch auction, however, obtaining the same equilibrium outcome requires 
the player with the higher valuation to know the valuation of the other player 
so that he can decide to shout out just at the right moment. Hence, the two 
auctions do not satisfy the same knowledge preconditions. The standard result 
concerning the equivalence between Dutch auction and first-price auction does 
take these knowledge preconditions into account. 

7 Conclusions 

Two main directions for future research present themselves: On the founda¬ 
tional side, the question arises whether the present approach can also be ap¬ 
plied to other equilibrium notions. We have already remarked that while the 
calculus presented can also be used to reason about Nash equilibria, the non- 
compositional nature of these equilibria stands in the way of a complete calculus. 
Hence, alternative equilibrium notions that promise to be amenable to our ap¬ 
proach will be refinements of subgame-perfect equilibria. Second, we mentioned 
already that an intensional approach to pre- and postconditions is worth devel¬ 
oping. For this, the crucial question is whether the logic used (FOL) and the 
expressiveness results obtained for programs can be carried over to mechanisms. 

At the most general level, we hope that this paper has shown that tools from 
computational logic can be extended from program verification to the verifica¬ 
tion of game-theoretic mechanisms. The examples provided should suffice to 
convince the reader of the variety of possible applications of such an extension. 
The semantics of the correctness assertions for mechanisms is more complex 
than for programs, but this is counterbalanced by the fact that the mechanisms 
we would like to verify (e.g., spectrum auctions for telecommunication markets) 
may turn out to be simpler than their counterparts in computer software (e.g., 
operating systems). 
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